Encrypt Your Gmail, Hotmail, And Other Webmail: Here’s How

safelock   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres HowEdward Snowden is fast becoming a household name. His NSA revelations brought shock and awe into American households, as individuals and families started to realize that their communications were not quite as private as they had originally thought. To partially calm some of those nerves, I’d like to offer a few easy ways that you can encrypt your webmail to at least try and maintain some semblance of email privacy in a world filled with snoops and spies.

Before we get started, it’s important to understand what types of encryption is available to you when you’re using webmail like Gmail, Hotmail and others. In general, people will use either public-key cryptography or secret key cryptography, depending on the application and how comfortable people feel with the process of sending emails in each case. Some people feel that public-key cryptography is very secure, while other people like to maintain the password part of the equation privately, so they use secret key cryptography.

Public key – asymmetric cryptography – is most common. It’s a secure digital transmission system involving basically two keys for each person on each end of a message transfer. The recipient and sender both have public and private keys. The public key can be handed out like candy. It simply allows someone to send you an encrypted message. The private key, on the other hand, is to be kept secure, as it’s what identifies that you are really the recipient.

Secret key – symmetric cryptography – is actually very secure, but it’s also very simple. You basically encrypt the message using a single secret cryptographic key, and the recipient can’t open the message without that key. In this article, I’m going to show you how you can do both using webmail.

Encrypting Messages in Webmail

Which method you choose to send encrypted emails really depends on what you’re trying to do and who you’re sending it to. In both examples here, you’re going to need to share a key of some form with the other person – either your public key in the case of asymmetric, or your secret key in the case of symmetric. Obviously, this means you’ll need a way to get the secret password to the other person. If you don’t have a secure way to get it to them, you’re best to go with asymmetric (public-key) as the safest option. If you have a safe way to get a secret password to them, by all means take the secret key approach.

Secret Key Webmail Encryption

I’ve used secret key encryption before to communicate with one of my correspondents overseas in China. The way we worked it out was that while talking with him on a landline while he was on his vacation in the U.S., I told him the password we would use for communications. Once he returned to China, we used a particular website (which he thankfully had access to through the China firewall) to encrypt and decrypt our emailed messages. One such website is InfoEncrypt.

A lot of people like the secret-key encryption approach because it’s so simple. You visit the site, type your message along with a password, and then click the “Encrypt” button.
encryptwebmail1   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How
This will provide you with an encrypted message that can only be decrypted if someone has the secret key that you’ve just created. You then take the encrypted message and paste it into your webmail message to the recipient.
encryptwebmail2   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How
The recipient will copy this message, paste it into the website’s text field, type the password and then click decrypt. If they have the right password, they’ll see your message!

A similar site to this is SafeMess. This website will encrypt the message in the same way, but it also offers another nice level of security by destroying the encrypted message after a certain amount of time passes. This means that if you make the message “self-destruct” in 24 hours, even if someone obtains the password a week from the time you create the message, it will no longer decrypt, even with the correct password.
encryptwebmail3   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How
This is a pretty nice level of added security, because you can tell the person in the subject of the encrypted email that they have 24 hours to retrieve the message. After that, it’ll self destruct and no one will ever see that message again.

Encrypting Webmail in Firefox

The next approach to cover is public-key encryption. I’m going to show you how you can use this encryption in your webmail accounts in either Firefox or in Chrome. There used to be a Firefox extension called Gmail S/Mime to encrypt Gmail messages, but the latest evolution of that is an awesome encryption service called Penango. Once you install Penango in FireFox, you can see the general settings and the settings for webmail accounts in the options area.
encryptwebmail4   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How
You aren’t done after you’ve installed Penango. If you want to exchange secure messages, you need to obtain your key. You do this by going to Comodo and signing up for one.
encryptwebmail6   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How
Once you sign up at Comodo, there’s a quick button to install the Comodo certificate on your system.
encryptwebmail8   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How
In Firefox, go to Tools and select Certificate Manager. If it installed correctly, you should see your installed certificate listed there. You now have your public/private keys and you’re ready to start sending and receiving secure, encrypted messages.

encryptwebmail9   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How

Open up Gmail and you should immediately see an alert on the screen telling you that Penango is activated and “successfully acquired OAuth token”.
encryptwebmail7   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How
Go ahead and compose a message. You’ll see a few more things that confirm you’ve successfully installed your webmail security system. A message tells you that recipients will be assured you’re the sender. Also, there’s a small “seal of authenticity” stamp on the blue Gmail send button, and in the lower right corner you’ll see buttons to turn on or off email signing, or to turn encryption on or off.

encryptwebmail10   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How

Just keep in mind that your recipient will also need to be registered and set up to receive your encrypted message. Otherwise, you won’t be able to enable encryption.

Encrypted Webmail in Chrome

One of the best plugins in Chrome for encrypted webmail is Mailvelope.  Dave also touched on Mailvelope a while back as well. This is my favorite because of the ease of use. Just install the plugin, and go into the options area to see the key manager. If you’ve just installed it, then this area will be empty.
encryptwebmail14   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How
Click on the “Generate Key” link in the left menu to create your public and private keys. Under advanced, you can set the encryption algorithm you want to use if you like. Create a secure passphrase, and then generate the key. The keys are only stored locally in your browser.
encryptwebmail15   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How
Now, when you go back to the “Display Key” list, you’ll see the key that you’ve just created.
encryptwebmail16   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How
When you want to give someone your public key, you’ll just have to click on the export button and display it and copy to clipboard, or send it directly to someone via email.
encryptwebmail20   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How
Once the recipient has the key, you can send them a secure email message by clicking the Mailvelope icon on the right side of the message compose window.
encryptwebmail17   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How
This opens a new application window isolated from the webmail system, where you can type in your email message in plain text, and then click the lock icon to convert it into an encrypted message using your registered keys.
encryptwebmail18   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How
Hitting the transfer button will paste the encrypted text into your Gmail compose window.
encryptwebmail19   Encrypt Your Gmail, Hotmail, And Other Webmail: Heres How

 

Mailvelope works in Webmail systems like Gmail, Yahoo and more – so that you can transmit messages using some of the most secure algorithms available to the public.

 Conclusion

Unfortunately, it’s difficult to find many options for Firefox. Penango is one of the best. As far as Chrome goes, you’ve got lots of options in addition to Mailvelope. Mymail-Crypt and SafeGmail are two very good options as well. Another option is to use secure and encrypted email provider services.

Don’t get me wrong. No one is saying that you can outsmart an organization like the NSA with something like public-key encryption, but at least you can give Big Brother a bit of a hard time when it comes to getting access to those messages. Make them go through the trouble of figuring out what algorithm you used, or having to break your passcode. Either way, it might at least prevent open scanning of the messages unless they have  just cause to break into those email transmissions.

These days, it isn’t just the government you have to worry about. Foreign countries spy on citizens of other countries. Companies spy on the employees of their competitors. The risks are everywhere, so why not take the extra step and lock down your sensitive email messages?

Have you ever used any of these services? Do you have any other encryption methods you like to use? Share your thoughts and feedback in the comments section below!

Image Credit: Green Lock via Shutterstock

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

19 Comments -

Henk van Setten

Gee, all this surely looks like a way to make life terribly complicated. I suppose one must have a very good reason to take all this trouble.
For myself, I can’t think of such a reason. Maybe I’m lucky or (probably) a little naive. But even if I were to mail with some person in China (your example) I still can’t think of an obvious reason to encrypt that email exchange.
Besides, in a situation like that, wouldn’t encrypted email attract exactly the kind of attention you were trying to avoid?
Just suppose (1) I were to email with someone In China or wherever, and (2) we knew that a government was probably monitoring email communications, and (3) we wanted to discuss something secret or illegal, so (4) we took the trouble to exchange encrypted emails.
Wouldn’t that work like a red flag (no pun intended)? If I were a government monitoring email traffic, I surely would separate the few encrypted emails from all other non-encrypted emails. Those few encrypted emails would immediately draw my attention (apparently, here we have people who try to hide something) so I would mark them (and the sender, and the receiver) immediately as “highly suspect”, and hand over those emails to some professional code-breakers, and also put the sender/receiver under intensified surveillance in other ways…
Imho, in such a situation a much better way of “encrypting” would be to simply agree on some code words and expressions in advance (like spies did in WW2) so your correspondence would not look encrypted, but in all respects perfectly ordinary – and it wouldn’t draw the attention of monitoring agencies.
Like, you would mail: “Yesterday I saw Franzli, I gave him your best wishes, and he told me Eva would travel to the mountains tomorrow” and the recipient would know you meant “Yesterday I saw our Reichskanzlei agent, I gave him your bar of dynamite, and he told me Hitler was due to go to Bavaria tomorrow.” Wouldn’t messages like that both be easier, and attract less suspicion?
Ah… if only I could be James Bond… with your post you really got me dreaming of a better, much more glitzy and exiting life, Ryan!

ReadandShare

Why do quotations ” ” show up here as brackets? Is it just me?

Ryan Dube

Ha – it’s glitzy and exciting on the surface, I’m sure. Probably not so glitzy to end up in some high-security prison for treason! I do see your points btw – it could be possible encrypted transmissions would attract the interests of organizations like the government of China. I suppose it depends on who you’re trying to hide the information from I suppose. If it’s hackers or malware, it’ll do the trick – but you’re probably right that with international communications for the purpose of spying, there could be intelligence folks out there specifically targetting encrypted communications. You never know!

I actually like your idea of the “in plain sight” approach. Sending innocuous messages with embedded “hidden” messages inside that only the recipient knows to look for. Encoded images is an interesting area in that regard, but I think intelligence folks across the world are much wiser to that today – due to the fact that terrorists used that technique for many years.

007

maybe, governments like ours are watching at a specific person first, followed by tapping his/her mail? instead of sifting first through zillon emails and pick the ones which are encypted?

Name

@Henk van Setten, there is a flaw in your idea that an encrypted email will be a red flag to the NSA watching the emails go past: there are millions and millions of emails already encrypted moving all over the planet. So your few encrypted emails will not be any more of a red flag than the millions of others.

Lots of businesses send encrypted emails to protect against general hackers, corporate espionage, disgruntled employees, competitors, foreign governments (like China), and more.

Lot of individuals send encrypted emails because they contain personal information, e.g. general medical info, financial records, Rx prescription files, psychiatric – mental health info, award winning BBQ recipes, etc.

ReadandShare

I recall reading somewhere that the laws allow NSA, etc. to track/monitor non-citizens. How can a particular agent tell? He/she only needs to be satisfied of 51% probability that the parties involved “might be” foreign. There is no process for obtaining warrant or a second look by anyone else — higher up or otherwise.

I also recall that encrypted email’s may preclude said agent from making the above determination — in which case, the meta data, etc. may be stored indefinitely.

ReadandShare

The sentence in the first paragraph above should read, “There is no need for obtaining warrant…”.

Ryan Dube

I think that’s all the more reason to send the encrypted messages through a proxy service that you log into prior to creating and sending the email, as described in a number of articles here at MUO.

Given, it’s possible for them to trace you through a proxy as well, but it’s a heck of a lot more work for them, and requires not only the cooperation of the email provider, but also the proxy provider, who are notorious for not cooperating, particularly if they are located outside of the U.S.

The only thing you can’t control is if someone is tracking what’s going directly between your own computer and the proxy server. You can encrypt that, but again, nothing is perfect. Still – some protection is better than no protection.

m

does Burn Note belong on this list ?

Ryan Dube

Absolutely.

Brandon R

Ryan Dube once again you have provided a very interesting article, thanks again. I did try Mailvelope once which is basically the same as Portable PGP & I did try Safe Gmail however I prefer to rely on client apps to encrypt my data instead of web apps as I feel more safe using client apps. Oh by the way there is an extension for Chrome named Quick Encrypt which you can use for symmetric encryption also.

Ryan Dube

Thanks Brandon – and I agree 100% on client app vs. web app. I don’t like that there’s that stream of communication between my PC and the web service that’s vulnerable. I’m definitely a 100% supporter of using client encryption apps for better protection.

Rule 34

This doesn’t matter as the Guardian article said that MS gets the data from the email BEFORE the encryption is applied. If they are doing it, you can bet the others are as well.

guy

shouldnt gpg4win be on here?

Webscience

What I don’t understand is why would somebody concerned about the secrecy of a message, and goes through the effort of encrypting it, does this via a obscure Russian website from Igor Artamonov (whois), who doesn’t even say what is done with the messages that are sent over plain http (not even https) post?

In other words, the message is sent in plain text, so any sniffer interested in you would see it, and second, who is infoencrypt.com and what do they do with your messages that they encrypt.

So, thanks for the advise but please do your homework if you want to advise people about security and privacy.

g

You might take a look at SecureGmail, https://www.streak.com/securegmail. It appears to work only with Chrome, but the the underlying code developed at Stanford University claims to be browser agnostic. This may mean an extension for Firefox could be available some day. SecureGmail APPEARS to take some of the web side risk out of the equation, but I still try to stay with client side apps only.

Good and timely article.

-g

Mahesh C

nice post very informative but you can also send exe files as attachment in how to send exe files via gmail

M. Fioretti

Check mailpile and/or the percloud http://per-cloud.com for ways to make this easier and not so browser specific.

D. Jakubowski

I’ve started using https://startmail.com as a BETA-Tester, and I think it’s great! I don’t have to do any difficult procedures with my regular mailaccounts, I can just use startmail and can send an encrypted email by just checking a box. It can’t get any easier than that, and I love it . You should check it out!